With any SaaS solution, the security of customer data is paramount. At Starburst, we employ a number of best practices for securing data within a cloud-native environment.
Cloud Infrastructure
Our infrastructure is continuously monitored and protected by AWS GuardDuty, while the Galaxy app itself is protected from DDOS attacks and traffic spikes by Cloudflare’s global threat protection network. Access to the Galaxy UI is secured with TLS encryption and customer data is never stored within the platform, only queried data is accessed by the platform. Starburst Galaxy does not collect or store credit card information; payments made for Starburst products are completed through Stripe.
PII and third-parties
While your data sources for Starburst Galaxy are managed by you, Starburst staff may be required to access customer information via the Galaxy user interface to provide customer support, fulfill legal requirements, or for other legitimate business purposes. These staff are specially trained to protect privacy through the safeguarding of PII and other sensitive information, and any customer information required to complete the support engagement is deleted upon resolution.
With regard to third-parties, each vendor is screened for adherence to our rigorous standards prior to onboarding and annually reassessed for potential risk to our customers. Data categories that are not critical to providing services are omitted from data transfers. The list of our subprocessors and the data categories shared with them is available here.
For GDPR compliance, Starburst can comply via Standard Contractual Clauses (SCCs) and the data hosting location may be specified in the MSA if EU access is required.
Secure development lifecycle
We follow a secure development process from planning through to production. Security and privacy considerations are accounted for early in feature development, risks and vulnerabilities are tracked through mitigation and remediation respectively, peer reviews are conducted on each commit, and both our on-premise and SaaS products receive regular code scanning through Veracode as well as annual penetration tests. Critical vulnerabilities requiring a patch are addressed according to our SLAs and customers are advised of any additional action needed.
External Auditor Compliance
We maintain both ISO 27001 and SOC2 compliance, which means every business decision is made with this in mind. Undue risk is not introduced into our environment and we strive to go beyond simply meeting compliance controls through continuous improvement of our processes and procedures.
Starburst Galaxy: Defense-in-depth
Through the above measures, Starburst seeks to mitigate the inherent risks associated with utilizing a SaaS product, with particular emphasis on safeguarding any customer data that the platform ingests. We have taken the utmost care to provide defense-in-depth in our products and continual re-examination of our security and development practices. Starburst fosters a culture of feedback and this is reflected in our commitment to creating and maintaining secure products that our customers can depend upon to meet the technological and privacy needs of their business.
